Six Fundamental Precepts for the Modern CISO Role
I remember growing up as a kid there was this bookstore near my house called The Cobblestone Bookstore. It was family-owned and in a strip mall. They had a section in the back of the store that was all science fiction which became my haven. I spent hours in that store finding new books to read, and one afternoon I found the Isaac Asimov section. I fell in love with his Robot series, and I especially enjoyed the Foundation trilogy. I think it was reading his stories that I developed my fascination with technology and the intertwined ways it can be used for both good and evil. It is one of his books that I recently read again, “I, Robot,” and its fundamental Three Laws of Robotics that got me to thinking about the modern CISO role.
As I re-read one of my favorite books, I thought to myself if I was to look at the role of CISO, what would be the fundamental precepts (laws) that CISO’s should follow in today’s evolving business environment. At first, I decided to convert the original three laws of robotics into rules that related to how CISOs should protect and provide value to their organizations. But after much thought, I decided to really geek out and convert the original six laws of robotics into a framework that could be applied to CISOs today. What follows is my attempt to describe six basic professional rules CISOs should follow to be effective in their continuously changing roles.
1. A CISO may not damage their organization or, through inaction, allow their organization to come to harm.
a. As a CISO, we will have access to data and technologies that could be used to impair our organization’s ability to conduct business significantly. As a security professional and leader within our company, we are there to set a standard of professionalism with regards to enterprise risk management and security operations – we are not there to harm.
2. A CISO must implement security controls found in established risk management frameworks except where such controls would conflict with the First Precept.
a. As a CISO we must follow reasonable care. This means we must implement established frameworks and their subsequent security controls to protect the business. Through the use of these frameworks, controls and continuous monitoring, we provide value to our company. The controls we implement should make the organization secure and reduce its risk exposure; they should not jeopardize the first precept.
3. A CISO must develop and mentor their security program & teams as long as this growth is aligned to support the First or Second Precepts.
a. As CISO we will compete for a budget to grow our security program and establish our teams. However, this drive for budget and growth should be aligned with our company’s strategic needs. As the senior security executive for the company the CISO should build a security program and mentor teams that are focused on providing services that support their company and do not jeopardize business operations. In following this guideline, the CISO will strengthen the first two precepts.
4. A CISO must evangelize the value of his/her security program for the company; creating an educated security-aware business culture as long it does not interfere with the First, Second, or Third Precepts.
a. For a CISO to be successful their stakeholders, peers, organizational leadership and partners must understand how a mature, adequately funded security program supports the company. This maturity should be through such efforts as continuous education, lunch & learns and web-based training that promotes current business operations and regulatory requirements. For this to be successful, the CISO will need to verify the effectiveness of their training program and through monitoring ensure it doesn’t impede the first three precepts.
5. A CISO must understand their organization’s business operations and its critical assets to efficiently manage its risk and support it in times of crisis.
a. Visibility, a core concept CISOs must have into their organization’s networks, workflows, and critical assets. With this context, CISOs better understand the threats, vulnerabilities, and risks they must manage. This data enables the CISO and team to develop incident response procedures, support business continuity processes and train security staff and support personnel. In times of crisis, the CISO may override precepts to ensure the survival of the business except if it concerns the health of personnel.
6. A CISO must collaborate with their peers and give back to the cyber community at large as long as this involvement does not interfere with the First, Second, or Third Precepts.
a. A CISO at times will need to ask for help or provide assistance to a peer. As a security executive in the diverse cybersecurity community, CISOs should be involved. This involvement will enable their professional growth and those of their staff, peers, and partners. As a community, we are all better when we participate and provide input; however, as CISO, we must remember any professional activities should support the first three precepts.
In closing, I find many people today are now transitioning into the field of cybersecurity without understanding what may be required of them. Cyber is a field that needs a diverse range of skillsets, continuous education, and experience to be successful. Many people who are coming to our community for the first time lack context for where they should start or the diverse roles one job may require of them. This issue is evident in the role of Chief Information Security Officer. This position has matured over the last several years taking on numerous business-related functions as CISOs accept being a business enabler and partner to their organizations. The above six precepts are my view of some primary services the modern CISO role provides an organization.
I now open it up to our fantastic community, I am interested in what precepts you believe we should add to the above six. Thank you and I hope to see you at Blackhat in August!
Published with author’s permission from Peerlyst.